Posted
by
timothyon Thursday February 27, 2014 @10:26AM
from the where-it-hurts dept.

An anonymous reader writes "By 'buying out' the most obvious lunch spot nearest the RSA conference yesterday, opponents and truth-seekers regarding RSA's alleged deal with the NSA raised awareness amongst attendees in the most brutal way possible: by taking away tacos and tequila drinks. Robert Imhoff, Vegas 2.0 co-founder, says, 'RSA could begin to fix this by going on the record with a detailed response about the accusations.'" I tried to get attendees of the conference to comment on camera — even a little bit — on what they thought of the NSA spying revelations, and not a single person I approached would do so. The pained facial expressions when they refused were interesting, though, and reflect the problem with a surveillance society in a nutshell. Especially at a conference where the NSA is surrounded by vendors who sell the hardware and software that enables your "mere" metadata to be captured and sifted, plenty of the people on the floor know that the companies they work for are or might one day be seeking contracts to do all that capturing and sifting, even if they'd rather not be subject to it personally, so their don't want their face shown saying so.

Situations like this are pretty hard to unravel. RSA can protest until they're blue in the face, but the nature of the accusation is such that their statements are already suspect. Add to that the level of distrust associated with the NSA, and the NSA's potential power over RSA. Evaluating any unprovable denial simply boils down to whether we trust RSA or not -- which is the same question we're already facing.

But part of that is true: elliptic curve was in vogue, and is in use in many places. However the Dual_EC is the one we're talking about.

Overall though, I get a very strong feeling that everyone is reacting at a gut level, as there is no evidence of collusion or a backdoor. All we have is a past presentation about how Dual_EC has some problems, RSA uses it anyway, and a journalist paraphrasing something Snowden said. What has changed is not any direct proof but instead the tenuous trust between organizati

I had a similar thought, though without seeing video of the author's behavior it is impossible to tell how much of their reaction was due to the subject vs the person doing the asking. Given that the blogger in question has built a bit of a brand and pride around being obnoxious, I would not be surprised if the latter played a role.

First they came for the tacos, and I did not speak out -- because we had a CmDrTaCo.Then they came for the tequila drinks, and I did not speak out -- because I was more a fan of Wine.Then they came for the chips 'n dips, and I did not speak out -- because everyone had moved on to SlashdotThen they came for Slashdot, -- there was no one left to speak for it...

I don't think this little stunt has anything to say about a "problem with a surveillance society"; they have something to say about a problem with some a$$hole ambushing some geeks at a tech conference that just want to get their lunch and get back to the conference sessions.

And the RSA did go on record. They said it wasn't true. As far as going into the gory details of the contract? Contract details of any contract, with any customer, are generally not something a security company is ever going to disclose. That's not surveillance-state paranoia or evidence of evildoing; it's routine business practice.

If the contract is such that you are abetting the government in unconstitutional searches, then well, it seems worthy of getting pissed off about and definitely worthy of being labeled "surveillance state".

As a long time (and lazily anonymous, sue me) reader of slashdot I'm always amazed at how many commenters seem willing to give companies/corporations/government a pass because it's just "routine" business practice.

If it's routine for a company not to tell me how it makes it's product, okay fine (maybe).If

The RSA has already explicitly said the contract doesn't say what they are accused of it saying. What else do you want them to do? They can't go and release the details of a confidential contract simply because somebody thinks it contains something it doesn't have.

Now, I'm not saying that RSA isn't lying, but if they were, would you believe that any contract they produced was an accurate one? Probably not. Talk about "Damned if you do, damned if you don't."

Sure, they can release the details of that contract. Government contracts are supposed to be public. Go take a look at usaspending.gov and fpds.gov There are plenty of security contracts posted there, just not any between RSA and NSA. It's not the easiest system in the world to navigate, you have to know a lot about government contracting to make sense of it.

But, you'll see military hardware contracts, homeland security database contracts, all of them are published on federal websites as a matter of course (you have to get special approval to not post a contract publically). The government mandates this so that competing companies and the public can see that they're getting a "fair deal". Never mind that a lot of these show they weren't competed, no one actually takes advantage of government transparency when it's available.

The defense and intelligence parts of the budget have very large parts that are a "black box". As well they should be. It's a bit difficult to carry out secret projects if all your contracts are open to anybody that wants to read them.

Yes, such contracts are vulnerable to abuse and oversight problems. But that doesn't mean that the RSA even has the ability to release the contract if they wanted to.

> They can't go and release the details of a confidential contract simply because somebody thinks it contains something it doesn't have.

Given that NSA made the contract in bad faith, is RSA Security still obligated to keep their silence? Maybe, but it seems insane. What RSA Security could say for starters was for example to explicitly confirm that a $10,000,000 contract exists. They haven't even done that.

RSA Security also have not yet given a good explanation for why they ignored the multitude of red fl

"The RSA has already explicitly said the contract doesn't say what they are accused of it saying."

Link? Because what I remember reading from them was more of a very carefully calculated non-answer. Did not deny the elements of the crime, but very vaguely denied any intent. An evasive, lawyerly answer, not a straightforward denial at all.

So have you stopped beating your wife? Trouble with that sort of question is that you can't say yes and you can't say no, and it's intentionally designed to be highly provocative so the answer is very likely to be "fuck off you, go bother someone else."So when someone is asked "please give us details of the crime we all know you committed" you are going to get that sort of answer.

Imagine an FBI agent. He has been spotted accepting a large sum of money from a prominent mob boss. He 'just happens' to have recently made a few odd decisions in his investigation that were very favorable to the very same mob boss. Do you expect anyone to just accept when he says 'it wasn't a bribe'?

Except that many many people are working with the NSA. It was common place to do this for a very long time. Companies and researchers worked with them because NSA was the undisputed expert in crypto. Their mission statement was not to spy on US citizens, that is only a recent discovery. For much of their history they worked to improve and strengthen crypto standards and this is documented.

Right now there is a hint that there is a backdoor, a hint that RSA took money, and these hints are troubling. Howe

It's a wee bit more specific. RSA made a truly bizarre choice to default to a broken RNG that had absolutely no benefit and many risks (it was slower, more memory hungry and untested). We know the NSA created that RNG to be subtly weak. We know that RSA took a largish payoff.

They either got suddenly stupid or they took a payoff. Neither suggests confidence in their products or recommendations.

Yes, many have worked with the NSA in the past. Some stopped after the world found out the NSA was not what they tho

Ahm.. not posting private contracts is a pretty reasonable 'routine' business practice. That is not a 'pass' it is a 'of course they are not going to publish it', and looking to it as proof they were up to something nefarious is just another 'if you are not guilty you have nothing to hide' argument.

You're mixing two things together. First you assume a-priori that they must be guilty in assisting in spying or in adding a backdoor. Second they got a contract. You conflate the two into assuming that they got a contract in order to add the back door. No one is saying it is routine to give away our info to the government, and no one is defending that.

All we really have right now are accusations but no real evidence. Now the contract from NSA would be fishy if it was the only contract they ever got and

They were accused of taking a $10M bribe to backdoor an encryption algorithm. RSA says it's not true. There's zero evidence that RSA knew about the weakness when accepting the money to include the algorithm in their products.

If they truly were going to compromise the security of every one of their customers, why would they have agreed to accept a paltry $10M?

The money may be for many reasons. Maybe it sounds like a lot of money to you, but it could be supplied for many legitimate reasons. Both RSA and NSA are involved in standards committees, and creating a standard is not done for free. RSA could have been paid to work on a standard, do some research, provide a product, and so forth.

If there is indeed a backdoor the most we have proof of is that RSA were played for fools. Which actually is damning enough to cause them to lose all the credibility that they

> There's zero evidence that RSA knew about the weakness when accepting the money to include the algorithm in their products.

It is possible that RSA Security was not aware of the possible backdoor in 2004, though unlikely [cryptograp...eering.com]. But that in no way excuses or explains why RSA security kept using the algorithm after the flaws became apparent and widely known in 2006 and 2007: http://blog.cryptographyengine... [cryptograp...eering.com]

Although after watching a show quite a number of times, I'm no longer convinced Mal was this ethical paragon that people make him out to be. He seemed to go out of his way to make his crew think he was about to do something bad and say, "Just trust me." It turned out a minute of screen time later that that *wasn't* what he was going to do, but he seemed to be intentionally misleading.

That, and his whole "you're on the crew, you're family" mantra seemed to be veeeery malleable when he wanted it to be.

And please list all the companies you've ever worked for, to see if we should blacklist you as well.Wait, you're still posting on Slashdot, and they're owned by Dice, so clearly you're all in favor of the corporate takeover of open free speech sites.

Pity the poor hatchetmen, cruelly interrupted during lunch. I, for one, fear for the future of a society that respects the privacy of others so little...

Do I think that Our Fearless Correspondent is even remotely effective in his stated aims? Not with those tactics, he'd be hard pressed to get someone to tell him the time.

Should we care about that? Do RSA's little minions deserve to throw a veil of contractual secrecy over their lunch hour, lest their delicate feelings be offended by the sight of disapproval?

In a situation where legal redress is, in all probability, a fantasy; but displeasure is very real, isn't social disapproval an excellent response? Wouldn't it be delightful if admitting to working for a spook contractor was about as pleasant as admitting that you take the long way around that school zone because you are a convicted sex offender? Now, especially without good evidence tying individual people to individual pieces of work, you don't want to go overboard; but it would be downright wholesome if the penalty for collaboration was constant exposure to contempt.

Most of the attendees at a tech conference are front-line IT grunts (and their managers) sent their by their boss to learn about new products, techniques, etc. Most of them don't work for RSA, nor will most have been in charge of the buying decision to purchase RSA products.

This isn't a "veil of contractual secrecy" being thrown... this is some more-or-less random schmoe having a complete stranger asking him questions on camera on something on which he doesn't have enough information to make an intelligent

What RSA Security has specifically said is that they knew about the backdoor when they made the $10,000,000 deal. RSA Security has not denied that it turned out there was a backdoor, or that there was a $10,000,000 deal to make Dual_EC_DRBG the default in the BSAFE library.

If the allegation is that the contract violates constitutional laws and especially if one of the partners in said contract is a branch of the government, I'd at the very least expect a general attorney to take a look at the contract. The accusation here is nothing less than RSA conspiring with a government agency to undermine constitutional rights of US citizens.

That's not enough to get a GA moving? Really? Guess they first have to torrent a few movies.

When I read what they had to say, what they seemed to be explicitly denying is that they specifically knew they were putting a back door in at the time. There was a lot of other fluff, but no substantive statement.

Here's one scenario consistent with what I read: RSA accepted $10M from the NSA to put in certain specific values in their cryptosystem, and did not at the time bother to look if it might be a back door. It was in fact a back door, and they continued pushing it for years. AFAIK, they haven'

Did you RTFA? They only turned away people who PAID to be at the conference. "Expo Only" passes, I.e. plain old tech people, were allowed access.
It is also worth noting that you are attempting to claim something as a "tech conference" and blatantly ignoring fact that it is a SECURITY CONFERENCE.
How many free lunches has RSA given you? is probably a better question, seeing all of your pro-rsa talk on these topic.

"Plain old tech" people get paid conference passes all the time. Your company buys X amount of stuff from Y vendor (or a business partner), the vendor account rep provides your company with Z full conference passes gratis, and most of those passes end up in the hand of front-line IT grunts (they are the ones most of the education classes are targeted for.) These grunts are no more likely to be familiar with the particular facts of what they were getting interrogated on than any other geek.

The pained facial expressions when they refused were interesting, though, and reflect the problem with a surveillance society in a nutshell.

Stupid reasoning. There are plenty of other reasons these people might not want to publicly comment. The most likely is that they're not authorized to speak for their employers, and fear rebuke or dismissal at their workplaces if they speak publicly on the topic.

Or even the rather pedestrian 'people do not like random bloggers shoving a camera in their face and just want to go about their business'. When someone does that to me, I do not care what the topic or question is, they still annoy me and I am not in a mood to cooperate or even interact with them.

There are a lot of RSA customers, so it is reasonable to expect them to show up at RSA conference. Similarly those customers should not be expected to do a recall of all their product lines and rewrite all the code so thast they can ditch RSA as soon as possible (especially if not using Dual_EC!). Second, the RSA conference, despite the name, is not only about RSA products. It's an important venue to go to in order to learn about new products from a large variety of vendors, to network with other people

> "When, last September, it became possible that concerns raised in 2007 might have merit as part of a strategy of exploitation, NIST as the relevant standards body issued new guidance to stop the use of this algorithm. We immediately acted upon that guidance, notified our customers, and took steps to remove the algorithm from use." - Art Coviello RSAC 2014 Keynote speech

So up until then, they apparently considered all the criticism of RSA sec